b'March 14, 2008\n\nGEORGE W. WRIGHT\nVICE PRESIDENT, INFORMATION TECHNOLOGY OPERATIONS\n\nDEBORAH M. GIANNONI-JACKSON\nVICE PRESIDENT, EMPLOYEE RESOURCE MANAGEMENT\n\nSUBJECT: Audit Report \xe2\x80\x93 Update Processes for Xxxxxx Xxxxxxxxx xxx XXXXXXX\n         (Report Number IS-AR-08-009)\n\nThis report presents the results of our self-initiated review of the update processes to\nthe Xxxxxx Xxxxxxxxx1 and Xxxxxxxx Xxxxxxxxxx Xxxxxx Xxxxxxx Xxxxxxxx x (Xx-\nXXXX)2 systems (Project Number 07RG013IS000). Our objective was to evaluate the\ncontrols over employee and contractor employment status updates to Xxxxxx\nXxxxxxxxx (Xxxxxxxx Xxxxxxxxx Xxxxxxxxxxx [XXX]) and XXXXXXX (xxxxxxxxx)\nsystems. If employment status data do not flow accurately from xxxxxx xxxxxxx xxxx\nxxxxxx xxxxxxxxx xxx xxxxxxx, or if internal controls in these systems are not in place or\nworking properly, it could result in improper or unauthorized user access to information\nsystems.\n\n                                             Background\nThe xXxxxxx system has become an integral part of the day-to-day operations of the\nU.S. Postal Service. The system not only monitors who obtains access to various\nPostal Service resources, it also automates the creation and maintenance of user\naccounts. Its functionality provides efficiencies that allow for the elimination of the\nPostal Service (PS) Form 1357, Request for Computer Access, and the associated\nmanual effort necessary to approve and create user accounts.\n\nEmployees and contractors use the xXxxxxx system to obtain automated access to\nregistered Postal Service XXX and mainframe systems.3 For example, entering a new\nhire in the Xxxxx Xxxxxxx Xxxxxxxxxx Xxxxxx (XXXX) generates a PS Form 50,\n\n1\n  Xxxxxx xxxxxxxxx xx x xxxxxxxxx xxxxxx xxxx xxxxxx xxx xxxxxxxxxxxxxx xxxxxxxx xxxxxx xxxxxxxxx xxx xxxxxxx\nXxxxxxx xxxxxxx. Xx xxxxxx xx x xxxxxxx xxxxxxxxxx xxx xxxxxxxxx xxxx xxxxxxx xxx xxxx xxx xxxxxx xxxxxxxxxx\nxxxxx xxxxxxxxxxxxxx (xxx xxx xxxxx xxx) xxx xxxxxxxxxxxxx (xxxx xxxxxxxxx xxx xxxxx xxx xxxxxx) xxxxxxxxx.\n2\n  XXXXXXX xx xxx xxxxxxxx xxxxxxxx xxxx xxx Xxxxxx xxxxxxx xxxx xx xxxxxxx xxxxxxxx xxxxxxxx xxx xxxxxxxxxx\nxx x xxxxxxxxx xxxxxxxxxxx. Xxx Xxxxxx Xxxxxxx xxxxxxxxx xxxx xXxxxx\xe2\x84\xa2 XXXXXXX\xc2\xae xxxxxxx xxx.\n3\n  Xxxx xxxxxxxxx xxxxxxxxxxxx xxx xxx xxxxxxxxxx xx xxxxxxx, xxx xxxxxxxxxxxx xxx xxxxxxxxx xxxxx xxxxx.\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                                                        IS-AR-08-009\n\n\n\nNotification of Personnel Action. xxxxxxx builds an employee profile for a new\nemployee from the PS Form 50 data transmitted from XXXX and assigns the employee\na universal identifier (UID).4 Then, bridging software extracts the employment data from\nxxxxxxx and populates an XXX logon ID5 record in Xxxxxx Xxxxxxxxx. The logon ID\nremains inactive in Xxxxxx Xxxxxxxxx until the manager approves access. Over\n100,000 additions, deletions, and changes occur weekly to Xxxxxx Xxxxxxxxx through\nxXxxxxx and the bridging software. Xxx Xxxxxxxx X xxx x xxxxxxxxx xxxxxxxxx xx xxxx\nxxxx xxxx.\n\nX xxxxxxxxxxx xx xxxxxx xxx xxxxxxxxx xxxxxxxxx xxxxx XXXXXXX xxxx xxxxxxx. Xxx\nxxxxx xxxxxxxxxxxx xxx xxxxxxxxxx xx xXxxxxx, Xxxx Xxxxxxxxx Xxxxxxxx XXXXX\nXxxxxxxx xxxxxxx xxxx x xxxxx XX Xxxx xxxx xxx xxxxxxxxx xx xxxxxxxxxxx xxx\nxxxxxxx xxxxxx xx xxx xxxxxxxxx. Xx xxx xxxx, xxx xxxxxxxxx xxxx xxxxxxx xxx\nxxxxxxx xx xx xxxxxxxx xx xxx xxxxxxxxxxx xxxxxxx. XXX Xxxxxxxx xxxx xxxxxxx x\nxxxxxxx xxxxxxx xxx xxxxxx xxx xxxxxxxxxxx xxxxxx. Xx xxx xxxxxxxxxxx xx\nxxxxxxxxxx, XXX Xxxxxxxx xxxx x xxxxxx xx xxxxxxxxx xxxxxxxx xx xxxxxxxx xxx\nxxxxxxx x xxxx xxxxxxx (xxxxxxxxxx XX Xxxx xxxx) xxxxxxx xXxxxxx xxx XXXXXXX.\n\nTo identify significant changes in employment data, XXX Xxxxxxxx routinely runs\nautomated jobs that provide daily reports. These jobs compare employee information\nrecords from the payroll system Xxxxxxxx Xxxxxx Xxxx xxxx XXXXXXX xxxx. When\nXXX Xxxxxxxx finds significant differences in employment information such as finance\nnumber or occupation code changes, they send a notification requesting the user\nprovide a revised access request. Consistent with Handbook AS-805, Information\nSecurity,6 if XXX Xxxxxxxx does not receive a new PS Form 1357 within a specified\ntime, they suspend and eventually delete the logonid.\n\nxxxxxxx distinguishes a normal user from users who have different participant roles.7\nFor example, the manager role (MGR) uses features of the application to approve\naccess requests. If the user request comes from a contractor, a Contracting Officer\xe2\x80\x99s\nRepresentative must also approve. The Functional System Coordinator (FSC) role\nvalidates requests for access to critical or sensitive8 applications, which requires an\nadditional approval step. The FSC can also revoke user access to all applications if the\nmanager does not. The FSC is also the application business owner. The Logon ID\nAdministrator has final request approval and activates the account for new users. The\nrequesting manager then receives notification of the activation and approval.\n\n\n4\n  Xxx XXX xx xXxxxxx xxxxxxx xx XXX xxxxx XX xx Xxxxxx XXXXXXXXX.\n5\n  Xxx xxxxxxxxxxxx, xx xxxxx xx \xe2\x80\x9cxxxxx XX\xe2\x80\x9d xx x xxxx xxxxxxx xx XXX xxx \xe2\x80\x9cxxxxxxx\xe2\x80\x9d xx x xxxx xxxxxxx xx XXXXXXX.\n6\n  According to Handbook AS-805, Information Security, March 2002 (updated with Postal Bulletin revisions through\nNovember 26, 2006), Section 9-6.3, Suspending Logon IDs, and Section 9-6.5, Terminating Logon IDs.\n7\n  Participant roles have access to the xxxxxxx system, administration module, or utilities. Xxxxx xxxxx xxxxxxx xxx\nxxxxxxx Xxxxxx Xxxxxxxxxxxxx, Xxxxxxxxxxx Xxxxxxxxx Xxxxxxxxxxxxxx, Xxxxxxxx Xxxxxxx Xxxxxxxxxxxxxx, XXX,\nXxxxx XX Xxxxxxxxxxxxx, Xxxxxxx, xxx Xxxxxxx Xxxxxxxx Xxxxxxx.\n8\n  Handbook AS-805, Section 3-3.2, Sensitivity and Criticality Category Independence, states \xe2\x80\x9cSensitivity and criticality\nare independent designations. All Postal Service information must be evaluated to determine both sensitivity and\ncriticality. Information with any criticality level may have any level of sensitivity designation and visa versa.\xe2\x80\x9d\n\n\n\n                                                          2\n                                               Restricted Information\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                                                 IS-AR-08-009\n\n\n\nSeveral organizations manage or provide technical support for xxxxxxx. The Corporate\nInformation Security Office, as Executive Sponsor for xxxxxxx, provides oversight\nincluding development, production, and maintenance. The Database Support Services\ndatabase administrators ensure Oracle database availability and performance, and\naccess control to the database. The Information Technology Engineering and\nArchitecture group manages the contractors supporting the xxxxxxx application\ninfrastructure and the bridging software. The contractor, XXxxxxxx xxxxxx xxxx\nxxxxxxxxxxxxxxx, develops and maintains the xxxxxxx application software and the\nbridging software to xxxxxx xxxxxxxxx, as well as the system documentation.\n\nXXXX9 xxxxxxxxx xxxx xxxxx xxxxxxx, xxxxxxxxx xxxxxxxxxxxx xxxxxxxxxx xxxx. xx\nxxxxxxxx xxx xxxxxxxxx xx xxx xxxxxx xxxxxx xxxxxxx xxxxxxxxxxxx, xxxxxxxxx\nxxxxxxxxxxxxxx xxxxx xxxxxxxxxxxxxxxxxxxx, xxxxxxxxx (xxxxxxxxxxxxxxxxx), xxx\nxxxxxxx (xxxxxxxxx). XXXX xxxxxxxxxxx xxxxxx xx xxxxx xxxxxxxxxx xx xxxxxxx. xx\nxxxxxxx xx xxxx xxxxx xxxxxxx, xx xx xxxxxxx xx xxxxxxxx xxxxxxxx xxxxxxxxxxxxx.\nxxx xxxxxxx, xx xxxxx xxxxxxxx xxxxxxx xx xxxx xxxxxxx, xxx xxxx xxxxxxx xx\nxxxxxxxxxxx, xxxxxxxxxxx, xxx xxxxxx. xxxxxxxxxxxx, xx xxx xxxxx xxxxxxx-xxxxxxxx\nxxxxxxxxxxxx xxxxxxxxxxx, xxxxxxxxx xxx xxxxx xxx xxx xxxxx. xxx xxxxxxx, xxx\nxxxxxxx (xxxxxxxxxx) xxxxxxxx xxx \xe2\x80\x9cxxxxx xxxxxxxx,\xe2\x80\x9d xxx xxx xxxxxxxx xxxxxxxx xxx\nxxxxxxxxx.\xe2\x80\x9d xx xxx xxxx xxxxx xx xxxxxxxx xxxxxxxx xx x \xe2\x80\x9cxxxxxx xxxxxxxx,\xe2\x80\x9d xxxxxxxxx\nxxx xxxxx xxx xxx xxxxx.\n\nxx currently tracks rural carrier and Postal Inspection Service employees assigned to\ndetail positions. Because these temporary employment changes require increased\ncompensation, XXXX generates a PS Form 50. This situation applies primarily to rural\ncarriers who work in detail positions for more than 30 days. Besides tracking\nemployees assigned to temporary positions using the PS Form 50, the Postal Service\nalso uses PS Form 1723, Assignment Order. Payroll personnel use the PS Form 1723\nto keep a record of executive and administrative service and bargaining unit employees\nassigned to detail positions at a higher level. Employees who work in higher level detail\npositions and meet certain conditions become eligible for higher compensation. xx\ncurrently does not transmit PS Form 1723 data to xxxxxxx but could in the future if\nmanagement changed business practices for employees assigned to detail positions.\n\n                           Objective, Scope, and Methodology\nSee Appendix B for objective, scope, and methodology details.\n\n                                      Prior Audit Coverage\nWe did not identify any prior audits or reviews related to the objective of this audit.\n\n9\n xxxx xxxxxx xx xxx xxxx xxxxxxxxxxxxx xxxxxxxxxxxxxx xx xxx xxxxx xxxxxxxxx xxxxxx xx xxx xxx. xxx xxxxxx xxx\nxxxxxxx, xxxxxxxxxxxx, xxx xxxxxxxx xx xxxx xxxxxxxxxx. xx xx xxxxxxxxx xxxx, xxxxx xxxxxxxxx xxxxxxxx xxx\nxxxxxxxxx xxxxx xxxxx xxxxx xxx xxxxxxxxxx xxxxxxxxxx xxxxxx xx xxxx.\n\n\n\n                                                       3\n                                            Restricted Information\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                            IS-AR-08-009\n\n\n\n                                             Results\nThe automated and manual processes accurately extracted employment status\nchanges that were transmitted xx xxxxxx xxxxxxxxx xxx xxxxxxx; however,\nmanagement needs to improve controls to better separate duties for users who can\nupdate xxxx xxx xxxx xxx xxxxxxx xxxxxxx. Additionally, management needs to\nevaluate the business processes that affect employee status updates xxxxxxx xxxx and\nxxxxxxx to adequately separate duties between managers and users in xxxxxxx.\nManagement also needs to evaluate the business processes xx xxxx to allow xxxxxxx to\nbetter manage employee status changes, especially detail assignments that affect user\naccess to critical or sensitive systems. Finally, management needs to improve xxxxxxx\nsystem documentation.\n\nXxxxxxxxxx xxx xxxxxxxxxx xx xxxx xx xx xxxxxxxx xxxxxxxxxxxx xx xxxxxxx, xxxxxxx\nxxx xxxxxxxx, xxx xxxx xx xxxxx xxxxxx xxxxxxxxxxxx xxxxxx xx xxxxxxxxxxxxx xxxxxxx\nxx xxxx. We made four recommendations to address these issues, including a joint\nrecommendation to Employee Resource Management and Information Technology\nOperations to review the manager roles xx xxxx and xxxxxxx to determine how to better\nintegrate the roles. We also recommended that appropriate Postal Service\norganizational units establish requirements for tracking employees assigned to detail\npositions, implement a planned enhancement to xxxxxxx to ensure reviews take place\nwhen significant job assignment changes occur, and keep system documentation\nupdated. While management did not agree with some facts in the findings leading up to\nrecommendations 1 and 2, they recognized that the conditions were valid and agreed to\ncorrect them. Management fully agreed with recommendations 3 and 4. Management\xe2\x80\x99s\ncomments and our evaluation of these comments are included in the report.\n\nSeparation of Duties\n\nXxx Xxxxxxx xxxxxx xxx xxxx xxxxxxxx xxxxxxxxxxxxxx xxxxxxx xxxxx xx xxxxxx xxxx\nxxxxxxx. xxxx xxxxxxxx xxxxxxx xxx xxxxxxx xxx xxx xxxx xx xxxxxxxxx xx xxxxxxxx\nxxxxxxxx xxxx xxxxxxx xxxx. xxxx, xxxxxxx xxxxxxx xxxxx xxxx xxx xxx xxxx xx xxxxx\nxx xxxxxx xxxxxx xx xxxxx xxx xxxxx xxxxx xxxxxxxxxxx. xxxx xxxxxxxx xxxxxxx\nxxxxxxx xxxxxxxxxx xxx xxxxxxxx xx xxxxxxx xxxxxx xx xxx xxxxxx, xxx xxxxxxx\nxxxxxxxxxxxxx xxxx xx xxxxxxx xxxx xxxxx xxx xxxxxxxxxxxx. Postal Service policy\n(policy) states that individuals\xe2\x80\x99 functional roles should be separate and their access\nshould be limited to a minimum level. Separation of duties for application access is\nessential to ensure personnel have appropriate access levels to corporate information.\n\nSecurity Interface for the Payroll System and the xxxxx xxxxxxx xxxxxxxxxx xxxxxx\n\nxxx xxxxxxx xxxxxx xxx xxxx xxxxxxxxxxxxxx xxx xxx xxxxxxx xxxxx xxxx xxxxxxxx xxxx\nxxxxxxx xxxxxxx xxxxxxx xxx xxxx xxxx xxxxxxxx xxxxxxxx xxxxxxx xxxx xxxx xxx\nxxxxxxxxxx xx xxxxxxxxxxx xxxx xxxxxx xxxxxxxxx xxxx xxxx xxxxx. xxxxx xxxx xxxxxx\nxxxxxxxxxx xx xxx xxxxxx xxxxxx xx xxxxxxxxxx xx \xe2\x80\x9cxxxx xxxx\xe2\x80\x9d xxxxxxxxxx xx xxx xxxxx\n\n\n\n                                                   4\n                                        Restricted Information\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                                                     IS-AR-08-009\n\n\n\nxxxxxx. xxxxxxxxxx xxxxxxxx xxxxxxxxx x xxxxxxxx xxxxxx xxxxxxx xx xxxxxxx xx\nxxxxxxxxx xx xxxxxxxx xxxxxxxx xxxx xxxxxxx xxxxxxx. xxxx xxxxxxxx xx xxxxx\nxxxxxxxxxxxx xxxx xxxxxx xx xxxxx xxxx. xxxxxxx xxxx xxxxxxxxx, xxxxx xx x xxxx xxxx\nxxxxx xxxxx xxxxxx xxxxxxxxx xx xxxxxxxxxx xxxxxxxxxxxx xx xxx xxxxxxx xxx xxxxx\nxxxxxxxx xxxxxxx.\n\nWe are not providing a recommendation for this issue since management has an action\nin process to correct this condition.\n\nSeparating the MGR Role in xxxxxxx\n\nxxxxxx xxxxxxx xxxxxxxx xxxxxxxxx xxxx xxxx xxxxxxxxxxx xxxxxxx xxxxxxx xxxxxxxxx\nxxxxxx xxx xxx xxxx xxxxx. xx xxxxxxx xxxx xxxxxxx, xxxxxxxxxx xxxxxxxxxxx x\nxxxxxxxxxx xxxxxxx xx xxxxxxx xxxx xxxxxx xx xxx xxxxxxxx xx xx xxxxxxxxxxx xxxxxx\nxx xxxxxx xx xxxxxx x xxxxxxxxx xxxxxxxx, xx xxxx xx xxxxxx x xxxxxx xxxxxx xx xxx\nxxxxxx.10 xxxxxxxxxxxxx xx x xxxxxxxxxx xxxxxxx, xxxxxxx xxxxxxx x xxx xx xxx xxxx\nxxxxxxx xxxxxxxxxxxx xx xxx xxxxxxxx xxxxx xxxxxxxxx xxxxx xxxxxxx xxxxxxxxx xxx\nxxxxxxxxx xxxxxxx\n\nXxxxxxx, xxxxxxx xxxxxx xxxxx xx xxxxxx xxxxx xxxxxxx xxxxx xxxxxxx xxxx xx xxxxx x\nxxxxxxx xxx xxxxxx xx xxxxxx xxxx xxx xxx xxxx. xxxx xxxxxxxxx xxxxxxxx xxx\nxxxxxxxxxxx xxxx xxxxxxxxxxx xxxxx xxxxxx xxxxxx xx xxxxxxxxx xx xxxxxxxx\nxxxxxxxxxxx xxxxxxx xxxx xxxxxx xxx xx xxxxxxxxxx xx xxxxxx. xxxxxxxxxxxx xxxxxx\nxxxxxxx xxx xxxxxx xxxxxxx xx xxxxxxxxx xxxxxxxxxxxx, xxxxxxxxxx, xx xxxxxxxxxxx xx\nxxxxxxxxx xxxxxxxxxxx. xx xxxxxxxx xxxxxxx xxxxxxx xxx xxxxxxxxxx xxxx xxx xx\nxxxxxx xxx,xxx xxxxxx xxxxx, xxxxxx xxxxxx xxx xxx xxx xxxx xxx xxxxx xxxxxxx xxxxxx\nxxxxxx xxxx.\n\nxxxx xxxxxxxx xxxxxxx xxx xxxxxx xxxxxxx xxxxxxxxxx xxxxxxxx xxx xxxxxx xx xxxxxxx\nxxxxxx xxx x xxxxxx xxxxxx, xxx xxxxxxx xxxxxxxxxxxxx xxxx xx xxxxxxx xxxx\nxxxxxxxxxxxx. xxxxxxxxxxxx, xxxxxxx xxx xxx xxxx xx xxxxxxxxxxxxxx xxxxxxxxx xxxx\nxxxxx xxxxxxxxxxxx xxxxx xxxxxx xxxxxxxxx xx xxxxx xxxxxxxx xx xxxxx xxxxxxxxxx\nxxxxxxxx. xxxxxxxx, xxxx xxx xxx xxxx xxx xxxxxxxxxxx xxxxxxxxx xx xxxx xxxxxxx-\nxxxxxxxx xxxxxx xxx xxx xxxxx xx xxxxxxxxxx xxxxxxx xxxxxxxxxx xxxxxx xxxxxxx xxxx\nxxxxx xx xxxxxxxxx xxx xxxxxxx xx xxxxxxxx xxxx xxxxxxxx. xxxxxxxxxxxx xxxxxx\nxxxxxxx xxx xxxxxx xxxxxxx xx xxxxxxxxx xxxxxxxxxxxx, xxxxxxxxxx, xx xxxxxxxxxxx xx\nxxxxxxxxx xxxxxxxxxxx. xx xxxxxxxx xxx xxxxxxxx xxxxxxxxx xx xxxxxx xxxx xxxx xxx\nxxxxxxx, xxxxxxx xxxxx xxxxxxx xxx xxxxxxxx xx xxxxx xxxxxxx xx xxxxxxxx xxx xx\nxxxxxxxxxx xxxx xxxxxx xxxx xx xxxxxxxxxx xxxxxxxxxx xxxxxx xxxxxxx.\n\nPolicy states that access to information resources must be specific to individuals\xe2\x80\x99 roles\nand responsibilities, and separation of duties and responsibilities will be considered\nwhen defining roles.11 Additionally, personnel should only have access to sensitive and\n10\n     According to a system design document, the FSC must provide a rationale for denying a request.\n11\n     Handbook AS-805, Section 9-4.1.3, Separation of Duties.\n\n\n\n                                                           5\n                                                Restricted Information\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                                                         IS-AR-08-009\n\n\n\ncritical information resources based on the minimum level of system functionality they\nneed to perform their duties.12\n\nThe Corporate IT Portfolio organization formed a group13 to help the Postal Service\ncomply with Sarbanes-Oxley Act of 2002 (SOX) business requirements. We reviewed\nthree security enhancements14 the group plans to implement in xxxxxxx. For example,\nwhen an employee requests a change in the assigned manager, the former manager\nand the new manager must approve this change. Management also plans to implement\na process where the MGR or FSC performs a bi-annual review of user access to\napplications. xxxxxxxxxxxxx xxxx xxxxxxxxx xxxxxx xxxxxxx-xxxxxxxx xxxxxxxxxxxxx\nxxx xxx xxxxxx xxxxxxx xxxxxxxxx. xx xxxxxxx xxxxxxxxxx xxxxxx xxxxxxxx xxxx\nxxxxxxxxxx xx xxxxxxx xxx xxxxxxxxxx xx xxxxxx xxxxxxxx xx xxxxx xxx xxx xxx xxxx.\nxxxx xxxx xxxxxxx xxxxxxxxxx xx xxxxxx xxx xxxxx xxx xxx xxxx xxx \xe2\x80\x9cxxxxx xxxxxxxx\xe2\x80\x9d\nxx xxxxxxx xxx xxxx, xxxxxxxxxxxx.\n\nBased on the planned SOX security enhancements, we are not providing a\nrecommendation to make any changes to xxxxxxx.\n\nRecommendation\n\nxx xxxxxxxxx xxx xxxx xxxxxxxxx, xxxxxxxx xxxxxxxx xxxxxxxxxx, xxxxxxxxxx xxxx xxx\nxxxx xxxxxxxxx, xxxxxxxxxxx xxxxxxxxxx xxxxxxxxxx, xx:\n\n     1. Xxxxxx xxx xxxxxxx xxxxx xxxxxxx xx xxx xxxxx xxxxxxx xxxxxxxxxx xxxxxx xxx\n        xxxxxxx xx xxxxxxxxx xxx xxxxx xxxxx xxx xx xxxxxxxxxx, xx xxx xxxxx xxxxxxx\n        xxxxxxxxxx xxxxxx xxx xxxx xxxxxxxx xxx xxxxxx xxxxxxxxxx xxxxxx xxxx xx\n        xxxxxxx.\n\nManagement\xe2\x80\x99s Comments\n\nxxxxxxxxxx xxxxxxxxx xxxx xxxxx xxx x xxxxxxx xxxx xxx xxxx xx xxxx xxxxxxx xxxxxxx\nxxx xxxxxxxxx xxxxxxxxx. xxxxxxx, xxxx xxxxxx xx xxxx xxxxxxxxxx xxxxxx xx xxxxxxx\nxxxxx xxxx xxxxxxxxxxx xxx xxxxxxx xx xxxxxxx xx xxx xxxxxxxxx xxxxx. xxxxxxxxxx\nxxxxxx xxxx xxx xxxxxxxxx xxxxxxxx, xxxxx xxxxxxx xxxxxxxxxx, xxxxx xxxx xxxx xxx\nxxxxxxxx xx xxxxxxx xxx xxxxxxxxxxx xxxxxxxxxx xx xxxxxxxxx x xxxxxxxxx xxxxxxxx\nxxxxxxx xxxxx xxxx xxx xxxxxxxxxx xxxxxxx xxxxxxx xxx xxx xxxxx xxxxxxxxxx\nxxxxxxxxxx xxxxxxx xxxx xxxxxxx xxx xxxxxx. xxxxxxxxxx xxxxxxxx xxx xx, xxxx, xx\nxxxxxxxx xxxx xxxxxxxx. xxxxxxxxxxxx xxxxxxxx, xx xxxxx xxxxxxxx, xxx xxxxxxxx xx\nxxxxxxxx x.\n\n12\n   Handbook AS-805, Section 9-4.1.4, Least Privilege.\n13\n   The IT SOX/Postal Reform Portfolio group xxxxxxxxxx xx xxxxxxxxxxxx xx xxxxxxx, as part of the \xe2\x80\x9cFY08 SOX\nSecurity Enhancements\xe2\x80\x9d project. The recently signed Postal Accountability and Enhancement Act of 2006 includes a\nrequirement that the Postal Service be compliant with the SOX by the time it issues its first annual report in late 2010\n(for FY 2010).\n14\n   xxxx x: xxxxxxxxxxx xxxxxxxx xxxxxxx xxx xxx xx xxxxxx xxxx xxxxxx; xxxx x: xxxxxxxxxxx xxxxxxxxx xxx xxxxxxxx\nxx xxx xx; xxx xxxx xx: xxxxx xxxxxx.\n\n\n\n                                                          6\n                                               Restricted Information\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                              IS-AR-08-009\n\n\n\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nAlthough management disagreed with some facts in the finding, their response was in\nagreement with the recommendation\xe2\x80\x99s intent, and their comments are responsive. The\nactions planned or taken should correct the issues identified in the finding.\n\nxxxxxxx Tracking for Employees Assigned to Detail Positions\n\nManagement did not design xxxxxxx to track employees assigned to detail positions.\nAdditionally, management did not implement xxxx to take full advantage of tracking\ndetail positions. The IT SOX/Postal Reform group believes they can implement a\nprocess (with the assistance of Human Resources personnel) where employment\ninformation changes in xxxx activate a notification to xxxxxxx managers to review the\naffected employees. Policy requires management to base access on the security\nprinciples of least privilege and the need to know. Tracking employees in detail\nassignments can prevent inappropriate access to applications because users who no\nlonger require access are identified and their access needs can be reviewed and\nmodified.\n\nxxxxxxx did not have the full capability to track employees assigned to detail positions.\nxxxxxxxx xxxxxxxxxx xxxxxxxxx xxxxxxxxx xxxxxx xx xxxxxxx xx xxxx xxxxxx xxxxxxxx\nxxxxxxxxxxx xxx xxx xxxxxx xxxxxxxxxx, xxxx xxxxxxxxxx xxxx xxxxxxx xxxxxxxx xx\nxxxxxxxxx xxxx xxxx xx xxxxxxxxxxx xxxxxxx xx xxxxxxxxxx xxxxxx. xxxxxxxxxxxx,\nxxxxxxxxxx xxx xxx xxxxxxxxx xxxx xx xxxx xxxx xxxxxxxxx xx xxxxxxxx xxxx xxxxxx\nxxx xxxxxxxx xxxxxx xxxxxxxxx. xxxx currently tracks 259 employees assigned to\nformal detail positions; however, according to management, over 23,000 employees\nwork in detail assignments.\n\nxxxx xxxxxxxx xxxxxxx xxx xxxxxx xxxxxxx xxxxxxxxxx xxxxxxxx xxx xxxxxx xx xxxxxxx\nxxxxxx xx x xxxxxx xxxxxx, xxx xxxxxxx xxxxxxxxxxxxx xxxx xx xxxxxxx xxxx\nxxxxxxxxxxxx. xxxxxxxxxxxx, xxxx xxx xxx xxxx xxx xxxxxxxxx xxxxxxxxx xx xxxx xxx\nxxxxxxxxxxx xxxxxxxx xxxxxx xxxxxxxxxxx xx xxxxxxx, xxx xxxxxxx xxxxxx xxx xxx\nxxxxx xx xxxxxxx xxxxxxxxxx xxxxxx xxxxxxx xx xxxxxxx.\n\nWithout adequate controls to track employees assigned to detail positions, individuals\nmay retain access to sensitive or critical information resources that they are not\nauthorized to access after the detail ends. Preventing such unauthorized access\neliminates potential modification, disclosure, or destruction of corporate information.\n\nPolicy states that management will grant access to sensitive and critical information\nresources based on providing personnel with the minimum level of system functionality\nneeded to perform their duties.15 Additionally, management must limit access to\n\n15\n     Handbook AS-805, Section 9-4.1.4, Least Privilege.\n\n\n\n                                                          7\n                                               Restricted Information\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                              IS-AR-08-009\n\n\n\nsensitive information resources to personnel who need to know the information to\nperform their duties.16\n\nThe IT SOX/Postal Reform group believes they can implement a process (with the\nassistance of Human Resources personnel) where employment information changes in\nxxxx activate a notification to xxxxxxx managers to review the affected employees. For\nexample, if any changes occur (duty station, finance number, occupation code, and\nemployment status), xxxx can pass them overnight to xxxxxxx, which will generate\nemails to the appropriate managers. We believe management should leverage this\ncapability in xxxx xxx xxxxxxx so that unneeded access does not continue after\ntermination of a detail assignment.\n\nRecommendation\n\nWe recommend the Vice President, Employee Resource Management, coordinate with\nthe Vice President, Information Technology Operations, to:\n\n       2. Review the capabilities and establish requirements in the xxxxx xxxxxxx\n          xxxxxxxxxx xxxxxx for tracking employees assigned to detail positions and how\n          to pass timely and accurate data to xxxxxxx.\n\nManagement\xe2\x80\x99s Comments\n\nManagement disagreed that there was an issue with data that is passed xxxxxxx xx\nxxxxxxx for formal detail assignments where PS Form 50s were generated.\nSubsequent to receipt of the formal response, we received information to clarify this\nresponse. Management stated that the Executive Director, Xxxxx Xxxxxxx Xxxxxxxxxx,\nwill work with Information Technology xx xxxxxxx xxx x xxxx xxxxxxxx xxxxxx xxxxxxx\nxx xxxx xxx xxxxxx xxx xxxxxxx xxxxxxx xx xxxxx xxxxxx xxxxxxx. They targeted this\naction for completion by May 30, 2008.\n\nManagement additionally agreed that data for informal detail positions, not resulting in\nPS Form 50 activity, were not passed through the system to xxxxxxx. Management\nstated that the Executive Director, xxxxx xxxxxxx xxxxxxxxxx, would work with the\nmanagers of Employee Resource Management and Information Technology to develop\nrequirements for tracking data for informal detail positions. Management targeted\nDecember 31, 2008, to complete this activity.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nManagement disagreed that there was an issue with data passed to the xxxxxxx\nsystem. However, their response was in agreement with the recommendation\xe2\x80\x99s intent,\n\n\n16\n     Handbook AS-805, Section 9-4.1.2, Need to Know.\n\n\n\n                                                        8\n                                             Restricted Information\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                                                   IS-AR-08-009\n\n\n\nand their comments are responsive. The actions planned or taken should correct the\nissues identified in the finding.\n\nEvaluation of xxx User Access\n\nManagement did not reevaluate xxx logon ID access when employees were reassigned.\nThis occurred because management did not have any procedures in place to notify\nmanagers when employment changes occurred and when access should be\nreevaluated. Policy states that all managers have the responsibility of revoking access\nwhen it is no longer required. Reevaluating access when an employee\xe2\x80\x99s job\nresponsibilities change helps ensure employees have access to only the data and\nsystems needed to perform their work.\n\nEmployment changes affecting occupation code, finance number, or employment status\ncould result in different access requirements to information systems. Except for\nterminations, xxxxxxx has no functionality to notify managers when employment\nchanges occur and when access should be reevaluated. Managers or users can initiate\naccess changes, but the FSCs have the ultimate responsibility for approving the\nappropriate level of access.\n\nIn the mainframe environment, xxx xxxxxxxx used programs to compare employee\ninformation records xxxx xxx xxxxxxx xxxxxx xxxxxxxx xxxxxx xxxx xxxx xxxxxxx xxxx.\nxx xxx xxxxxxxx xxxx xxx xxxxxxx x xxx xx xxxx xxxx xxxxxx x xxxxxxxxx xxxx, xxxx\nxxxxxxx xxx xxxxxxxxxx xxxxxx xxx xxxxxxx.\n\nPolicy states that all managers must immediately revoke access to information\nresources for personnel who no longer require it because of a change in job\nresponsibilities, transfer, or termination.17\n\nThe IT SOX/Postal Reform group identified three SOX security enhancements18\nbeginning in mid-2008 that will address this issue. Based on changes in employment\ninformation, appropriate xxxxxxx managers will receive timely notification to review\nthese changes and determine if current employee access is required.\n\nRecommendation\n\nWe recommend the Vice President, Information Technology Operations, direct the\nManager, Corporate Information Security Office, to:\n\n     3. Develop and implement the planned xxxxxxx enhancement that will ensure\n        access reviews take place when significant changes occur in job assignments.\n\n\n17\n  Handbook AS-805, Section 9-4.2.7, Revoking Access.\n18\n  xxxx x: xxxxxx xxxx xxxxxx; xxxx xx: xxxxxxxx xxxxxx xxxxxxxxx xxxxxxx; xxx xxxx xx: xxxxx xxxxxxxxxxxx xx\nxxxxxxxx xxx xxxxx.\n\n\n\n                                                        9\n                                             Restricted Information\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                                            IS-AR-08-009\n\n\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with the recommendation. Management stated that, as part of the\nSarbanes-Oxley effort, they are currently programming xxxxxxx to alert managers to\nreview system access when an employee\xe2\x80\x99s job status changes. Management targeted\nMay 30, 2008, to complete this activity.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nManagement\xe2\x80\x99s comments are responsive to the recommendation, and the actions\nplanned or taken should correct the issues identified in the finding.\n\nSystem Documentation for xxxxxxx\n\nThe contractor did not maintain up-to-date system documentation for xxxxxxx. Policy\nstates the principle of configuration management includes the responsibility of\nadequately maintaining system documentation.19 Current system documentation is\nimportant for tracking system changes and ensuring the system is operating as\ndesigned.\n\nxxx xxxxxx xxxxxxxxxxxxx xxxx xx xxxxxxxx xxx xxxxxxx xxx xxx xx xxxx. xx xxxxx xx\nxxxxxxx xxxxxxxx xx xxx xxxxxxx xxxxxxxx xxxxxx, xx xxxxxx xx xxxx xxxxxxxxx xxxxxx\nxxxx xx xxxxxxx xxxx. xxx xxxxxxx, xxx xxxxxxxxx xxxx xxxxxxxxx xxxxx xxxxxx xxx\nxxxxxx xxxx xxx xx xxxx xxx xxxxxxxxx xx xx xxxxxxx. xxxxxxxxxxxx, xxxxx xxxxxxxxx\nxxxx xx x xxxxxxxx xxxxxx xxx x xxxxxx xxxx xxxxx xxx xxx xxxx xxx xxxxxxx xxxxxxx.\nxxxx xxxxxxxx xxxxxxx xxx xxxxxxxxx xx xxxx xxx xxx xxxxxxx xxxx xxx xxxxxxxxxx\nxxxxxx xxxxxxx xxxxxx xxxxxxxxxxxxx. xxx xx xxxxxxxxxx xxxxxx xxxxx xxx xx\nxxxxxxxxxxx xxxxxxx xxx xxxxxxxx xx xxxxxxx xxxx xxxxxxxx.\n\nGood configuration management provides integrity and traceability to software\nthroughout the change life cycle. As a best practice, keeping system documentation\ncurrent is important for tracking system changes and assuring the system is operating\nas designed.\n\nRecommendation\n\nWe recommend the Vice President, Information Technology Operations, direct the\nManager, Corporate Information Security Office, to:\n\n     4. Review and update system documentation for xxxxxxx, and implement a process\n        to ensure system documentation is kept current in the future.\n\n\n\n19\n Management Instruction AS-850-2002-10, Information Technology Change and Configuration Management,\nOverview section, August 22, 2002.\n\n\n\n                                                   10\n                                         Restricted Information\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                           IS-AR-08-009\n\n\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with the recommendation. Management stated that, as part of the\nSarbanes-Oxley enhancements to xxxxxxx, they will ensure that documentation is kept\nup-to-date, including any required changes to documentation due to system\nenhancement or maintenance. Management targeted June 30, 2008, to complete these\nactivities.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nManagement\xe2\x80\x99s comments are responsive to the recommendation, and the actions\nplanned or taken should correct the issues identified in the finding.\n\nThe U.S. Postal Service Office of Inspector General (OIG) considers recommendations\n1 through 3 significant, and therefore requires OIG concurrence before closure.\nConsequently, the OIG requests written confirmation when corrective actions are\ncompleted. These recommendations should not be closed in the follow-up tracking\nsystem until the OIG provides written confirmation that the recommendations can be\nclosed.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Gary Rippie, Director,\nInformation Systems, or me at (703) 248-2100.\n\n E-Signed by Tammy Whitcomb\nERIFY authenticity with ApproveI\n\n\n\nTammy L. Whitcomb\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\ncc: Ross Philo\n    H. Glen Walker\n    Harold E. Stark\n    John P. Byrne\n    Joseph J. Gabris\n    Gregory \xe2\x80\x9cDean\xe2\x80\x9d Larrabee\n    Michael E. Goldman\n    Larry V. Goodman\n    Jerry M. McClure\n    Steven W. Monteith\n    Nancy M. Laich\n    Katherine S. Banks\n\n\n                                                  11\n                                        Restricted Information\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                                                 IS-AR-08-009\n\n\n\n              APPENDIX A. EMPLOYMENT STATUS DATA FLOW\n\n\n\n\n                                                Redacted\n\n\n\n\nxxxx:\nxxx xxxxxxxxxxxx xxxxx xxxxxxxxxx xxx xxxxxxx xxxx xxxx xx xxx xxxx xxx xxxx. xxx xxxxxxx xxxxxxxx xxxxxxx xx\nxxxx (xxx xxxxxxx) xxxxxx xxx xxx xx xxxxxxxxxxx xxxxxxx xx xx xxxxx xxxxxxxxx. xxx xxxx xxxxxxxxx xx xxxxxxx\nxxxx xxx xx xxxxxxxxxxx xxx xxxxxxxxx xxxxx xxx xxxxxxx xxxx xxxxxxxx xxxxxxx.\n\n\n\n\n                                                      12\n                                            Restricted Information\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                                                 IS-AR-08-009\n\n\n\n         APPENDIX B. OBJECTIVE, SCOPE, AND METHODOLOGY\nThe objective of this audit was to evaluate the controls over employee and contractor\nemployment status updates to the xxxxxx xxxxxxxxx (xxx) xxx xxxxxxx (xxxxxxxxx)\nxxxxxxx.\n\nWe conducted this audit at the Information Technology Service Center in Raleigh,\nNorth Carolina; the Information Technology and Accounting Service Center in Eagan,\nMinnesota; and at xxxxxxxx xxxxxx xxxx xxxxxxxxx, xxx., a contractor in xxxxxxxxxx\nxxxxxxxx. Specifically, we worked with managers in the following functional areas: IT\nEngineering & Architecture (xxxxxx xxx xxxxxxxx xxxxxxxxxx xxxxx20xxx xxxxxxxxx\nxxxxxxxx xxxxx21xx xxxxxxxxxx xxxxxxxx xxxxxxx xxxxxxxxx xxxxxx (xxxx); xxxx\nxxxxxxxxx xxxxxxxx xxxxxxxx (xxxxxxx); xxx xxxxxxxxxx xxxxxxx xxx xxxxxxx, xxxxxxxx\nxxxxxx\n\nTo accomplish this objective, we interviewed key managers to identify the information\nsystems that provide employment status data to xxxxxx xxxxxxxxx xxx xxxxxxx. We\nalso identified the processes that passed employment hiring, termination, and change\n(PS Form 50) data from xxxx xx xxxxxx xxxxxxxxx and from the xxxxxxx xxxxxx\nxxxxxxxx xxxxxx xxxx xx xxxxxxxx Furthermore, we identified internal controls (such as\nparticipant roles) in xxxxxxx to verify management had adequately separated the duties\nof employees assigned these roles.\n\nWe reviewed manual and automated procedures that managers used to track employee\nstatus changes. Additionally, we identified manual and automated processes that allow\nusers to gain access to the xxx and mainframe environments. Finally, to determine if\nthe Postal Service had plans to make major changes to any of the systems providing\nemployment status data, we reviewed a document22 highlighting 20 planned security\nenhancements to xxxxxxx. The IT SOX Postal Report Portfolio Organization identified\nthese enhancements to comply with SOX business requirements.\n\nTo determine the number of active employees in xxxxxxx, we used automated tools and\nanalyzed about 1.3 million user records xxxx xxx \xe2\x80\x9cxxxxx\xe2\x80\x9d xxxxxx23 We identified active\nusers based on the values in the user status and employee status fields.24 xx\nxxxxxxxxxx xxx xxxxxx xx xxxxx xxxx xxx xxx xxxx xxxxx xx xxxxxxxx xxxxxxx xxxx xxx\nxxxxxxxxxxxxxxxxx\xe2\x80\x9d xxxxx xx xxx xxxx xx xxxxxxxxxx xxxxxxxxxx xxxxxx xxxxxx25 We\ntested the xxxxx xxxxx for duplicate records and found none.\n\n20\n   xxx xxxxxxxxxxxxxxx xxxxxxxxxx xxxxx xx xxx xxxxxxx xxxxxxx xxx xxx xxxxxxx xxxxxx, xx xxxxxxxx xxxxxxxxx\nxxxxxxxx xxxxxx xxxxxxx xxxxx xxxxxx xxxx xxx xxxxxxxxxxx xxxxxxx xxx xxx xxxxxxx xxxxxx xx xxxxxx xxxxxxx\nxxxxxxxxx xxxxxxxxx.\n21\n   xxx xxxxxxxxx xxxxxxxx xxxxx xxxxxxxxx xxx xxxxxxxxxxxx xxx xxxxxxxxxxx xxx xxxxxx xxxxxxxx xxxxxxxxxxx.\n22\n   \xe2\x80\x9cxxxxxxx FY08 SOX Security Enhancements\xe2\x80\x9c was dated October 2007.\n23\n   We obtained authorization to gain access to the xxxxx xxxxx and downloaded records on October 21, 2007.\n24\n   xx xxxxxxxxxx xxxxxx xxxxx xxxxx xxxxxxxxxxxxxxxxxxx xxxxxx xxxxxxx \xe2\x80\x9cx\xe2\x80\x9d (xxxxxx xxxxxxxx) xxx\nxxxxxxxxxxxxxxxxxxx xxxxx xxxxxx xxxxxxx \xe2\x80\x9cx\xe2\x80\x9d (xxxxxx).\n25\n   xx xxxxxxxxxx xxxxx xxxx xxx xxx xxxx xxxxx xxx xxxxxxx xxxxx xxxxxx xxxxxxx xxxxxx\n\n\n\n                                                      13\n                                            Restricted Information\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                            IS-AR-08-009\n\n\n\n\nWe conducted this audit from August 2007 through March 2008 in accordance with\ngenerally accepted government auditing standards and included such tests of internal\ncontrols as we considered necessary under the circumstances. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit\nobjective. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objective. We used manual and automated\ntechniques to analyze the computer-processed data. Based on the results of these\ntests and assessments, we generally concluded the data were sufficient and reliable to\nuse in meeting the objective.\n\n\n\n\n                                                  14\n                                        Restricted Information\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                IS-AR-08-009\n\n\n\n                  APPENDIX C. MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                                  15\n                                        Restricted Information\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                IS-AR-08-009\n\n\n\n\n                                                  16\n                                        Restricted Information\n\x0cUpdate Processes for xxxxxx xxxxxxxxx xxx xxxxxxx                IS-AR-08-009\n\n\n\n\n                                                  17\n                                        Restricted Information\n\x0c'